[4769] in Kerberos
Bellovin and Merritt ('91) question
daemon@ATHENA.MIT.EDU (mctajdi@dct.ac.uk)
Thu Mar 9 05:43:28 1995
To: kerberos@MIT.EDU
Date: 9 Mar 95 10:13:40 GMT
From: mctajdi@dct.ac.uk
Hi,
I've been reading Bellovin and Merritt's USENIX 91 article on Kerberos
limitations, and am having difficulty understanding one of their statements.
On page 11/12, they suggest that the nonce field can be sent both in the clear
and encrypted in the user's login key (in KRB_AS_REQ) to provide
pre-authentication.
They state that this is more secure than allowing an attacker to collect
tickets encrypted with the user's key, which allows password-guessing attacks.
In the first instance, the attacker could capture these nonce fields
(cleartext and encrypted) as they pass by on the network, and run a password-
guessing attack on the encrypted field to find the cleartext value (ie a known-
plaintext attack).
In the second instance, the attacker captures the encrypted ticket as it passes
by, and runs a password-guessing attack (a ciphertext-only attack, relying on
the correctly decrypted value to be readable).
Am I missing some point, or is this just aimed at less competent attackers who
send a request to the KDC pretending to be the other user, and thus get sent
the tickets encrypted in the other user's login key ?
Thanks,
Alex.
